Is there any security benefit to encrypting sessio

2019-04-07 00:02发布

问题:

Would it prevent, for example, session hijacking? If not, what can I do to make my php sessions secure?

回答1:

What is sent to the client is a session identifier and not a session variable. These session identifiers are usually set as a cookie in the client. Of course, if anyone gets hold of the session identifier (for example, by using cross site scripting attack) from the user's browser or client, he can set the session identifier in his own client and impersonate as the other user.

Session variables, however, usually refer to the values in $_SESSION array. See http://www.php.net/manual/en/function.session-start.php for an example. These values are never sent over the network to the client.

As far as protecting session identifiers is concerned, I have already explained in the first paragraph that they are stored as cookies in the browser. In an HTTP session, the cookies are transmitted between the server and client in cleartext. This is vulnerable to eavesdropping (for example, a guy on a router through which your packets pass could capture your packets and read the session identifier from it). The best way to overcome this problem is to use HTTPS instead.



回答2:

I guess it depends on what you mean by "security benefit". If your application is on a shared host, and your session data is being kept in some unsecure central location where it could be open for other users to read, then yes, technically there is some security benefit to encrypting your sessions. However, it would be a much better use of your time and effort to simply write your own session storage mechanism so that you don't store them in an unsecure location in the first place; especially given how easy it is to do encryption completely wrong and give yourself a false sense of security.